Basic VPN to Cisco ASA without authentication

Could anyone help me? I'm vaguely familiar (but certainly no expert) with the PIX, but this is my first ASA, and it's giving me grief! I've got most of it working, but I'm stuck on the VPN. We use VPN to PIX to access small sites without further authentication -- just group name and password and connect. (I know it's not good for security, but for what we do it works well, and often we have no other option anyway.)
Anyway, I can't get it to work on the ASA, but could really do with it, urgently!
Below are what I think are the relevant code fragments...
Could anyone please point me in the right direction... Please don't say it isn't possible any more!!
PIX code that seems to do the trick; comments in brackets are the bits the ASA turned its nose up at:-:
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup lestac address-pool vpnpool (vpngroup depricated)
vpngroup lestac password secret (ditto)
vpngroup lestac dns-server yserver1 (ditto)
vpngroup lestac wins-server yserver1 (ditto)
vpngroup lestac default-domain harlow (ditto)
vpngroup lestac idle-time 1800 (ditto)
ASA "bits" I tried to use to replace the "depricated" PIX bits to get the same effect:-
tunnel-group lestac type ipsec-ra
tunnel-group lestac general-attributes
address-pool vpnpool
tunnel-group lestac ipsec-attributes
pre-shared-key secret
default-group-policy lestac
group-policy lestac attribues
wins-server value
dns-server value
default-domain value harlow.local
vpn-idle-timeout 1800
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec

Open in new window

Who is Participating?
seworbyConnect With a Mentor Author Commented:
I have it working. Whether it's the right way or not is a different matter...
The key to it is to set up a user so it has a user in the database to allow the secondary authentication to authenticate against. It seems this isn't neceesary on the PIX but is on the ASA.
The vpn_filter value turned out in the end to be a bit of a red herring, as having it on prevent traffic from passing once connected.
username xzy password xyz123 privilege 2

For an ASA remote access VPN, you need pieces, three of which can be named the same: a group-policy, a tunnel-group, and a username. Here's a very basic example for vendor access:

# Create an ACL for vendor access to any destination
access-list vendor_acl extended permit ip any any

# Create a group policy
group-policy vendor internal

# Define the acl this policy will use
group-policy vendor attributes
  vpn-filter value vendor_acl

# Create the user
username vendor password *****

# Define the group policy and acl to control this user
username vendor attributes
  vpn-group-policy vendor
  vpn-filter value vendor_acl

# Define a tunnel group - type for remote access is 'ipsec-ra'
tunnel-group vendor type ipsec-ra

# Define the group characteristics
tunnel-group vendor general-attributes
  default-group-policy vendor

# Define the group password
tunnel-group vendor ipsec-attributes
  pre-shared-key *****

There are lots of other keywords you can include; for example, you can add 'vpn-idle-timeout 15' to the group-policy section and have the VPN logout after 15 minutes of idle time, you can add 'vpn-framed-ip-address' under the username attributes to assign an IP address to that user, and so on. But this framework will get you started... for more info, check out this link:

Sorry about the typo... the first line should read "you need four pieces..."  - the three names and an ACL.
seworbyAuthor Commented:
Thanks for your help on this. As you can see from my code, I've got most of this in place. I've got the access_list bits in place, too, but didn't quote them because it's just not getting that far. I can't get past the Cisco client asking for username and password. The only bit I haven't got is the vpn_filter value bit, but I don't think it's going to be that causing my problem?
Having spent some time reading up last night, I'm wondering if it's my AAA I've got wrong. I'll have access to the ASA in a couple of hours and I'll take another look.
I'll let you know how I get on.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.